Remote access outfit GoTo has admitted that a threat actor exfiltrated an encryption key that allowed access to "a portion" of encrypted backup files.
A third-party cloud storage service GoTo uses for its own products and affiliate company LastPass was attacked in August 2022. GoTo and LastPass revealed the incident in separate notifications that The Register covered after the companies 'fessed up in November 2022.
LastPass later admitted that some of its source code was accessed, data stored in the cloud decrypted, and files containing customers' passwords copied. Thankfully those files were well encrypted, so customer data was likely not at risk unless they practised poor password hygiene.
Now GoTo has offered more information on the attack, revealing the attacker "exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere."
"We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups."
Thankfully the data was, again, decently protected.
"The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information," wrote GoTo CEO Paddy Srinivasan. "In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted."
As the data was salted and hashed, Srinivasan expressed confidence that customers are safe.
He's nonetheless decided it's best to reset the affected users' passwords and/or reauthorize their MGA settings.
- LastPass admits attackers have a copy of customers’ password vaults
- LastPass source code, blueprints stolen by intruder
- Popular password manager LastPass to be spun out from LogMeIn
- Lawyers slam SEC for 'blatant fishing expedition' after Exchange mega-attack
"In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options," he wrote. Sounds like the right thing to do, but also suggests GoTo isn't confident in its existing systems.
That lack of confidence could be mutual for the company's customers. They have endured more than two months of secrecy about the incident, followed by updates two months apart.
There may be more unwelcome news to come: Srinivasan's post ends with "We appreciate your understanding while we continue to work expeditiously to complete our investigation." ®